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MEMORANDUM FOR THE RECORD 
SUBJECT: Presidential Privacy Initiative 


REFERENCE: Ltr to Rick Neustadt, Department of Commerce, 
dated 15 August 1978 (DDA 78-2967/1) 


1. On 13 September I received a telephone call from 
Ms. Stacy Dean in the Office of Consumer Affairs. TI returned 
the call on 14 September and learned that Ms. Dean had been 
tasked to work on the various Agency comments on that part of 
the Presidential Privacy Initiative which bore upon the ques- 
tion of electronic funds transfers (EFT). EFT was the sub- 
ject of Section 4B of the draft Presidential Privacy Initiative. 
As one of its decision issues the draft asked: "Should the 
Federal Government withdraw from, or restrict its operations 
of, EFT services for the private sector?" We had answered 
that question, after consultation with inStAhBNTL 
Office of Finance, by voting for the decision option which 
read: "Do not limit government operation of EFT for the pri- 
vate sector at this time." [In recommending this option we 
had suggested, again at OF's urging, the deletion of the 
qualifying "at this time." 


2. Ms. Dean said that our position had caused something 
of a stir in her office and among others working on the Ini- 
tiative because they were assuming our comment implied an 
Agency intention to use government EFT records as a source 
of intelligence information. I assured Ms. Dean that nothing 
could be farther from the truth, that we had no interest in 
nor need for the kind of information which would accrue on 
American citizens in an EFT system, and that even if we had 
an interest we had no charter for its collection. I told her 
that our position was based upon a desire to ensure that the 
services of EFT, which we had found very useful in our finan- 
cial transactions, continued to be available and that our 
deletion of the words "at this time" merely reflected a desire 
to eliminate the implication that something was wrong with EFT 
which needed correcting in the future. 
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3. Ms. Dean accepted my explanation and seemed quite 
relieved to have obtained it. She said that if there were 
any further questions she would call me back, but apparently 
there were none as I heard nothing further from her. 


4. On 18 September I had another conversation with 
Ms. Leslie Greenspan at OMB. Ms. Greenspan had been tasked 
to work on that portion of the Initiative wh ith 
the Privacy Act. She had initially called in 25X1A 
IPS; Dan had transferred her call to me. Ms. Greenspan for 
warded a restatement of the issues as they affect the admin- 
istration of the Act, and I promised to review these and call 
her back, which I did on 19 September. The restated issues 
are attached. 


5. I told Ms. Greenspan that I had no trouble with the 
policy position being presented by OMB as a consensus of the 
agencies consulted, with one exception. On the issue "should 
administration of the 'routine use’ provision of the Act be 
substantially strengthened?", I took issue with the flat 
statement in Option 3 that agencies should conduct "a re- 
sponsive public involvement program." I pointed out that an 
agency like this faces significant limitations in the ways 
in which it can involve the public in its administration of 
the Privacy Act, and that those limitations are themselves 
imposed by statute. I urged the addition of the qualifying 
phrase "within the limits imposed by other applicable laws." 
Ms. Greenspan saw the logic of my position and agreed to try 
to insert the qualifying language. Subsequently, she sent 
me a copy of a revised version of the agreed-upon optign con- 
taining the phrase, “consistent with applicable law." STATINTL 


Attachment: a/s 


STATINTL ce: OGC > ——==2 


Distribution: 


Orig - DDA Subject (via DDA) 
STATINTL 1 - oc; 
1 - AI rono 
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Issue - Should the head of each agency be asked to designate 
a_ person responsible for overseeing the agency's 
administration of the Privacy Act 

Current OMB policies assign agency heads responsibility for 
establishing internal agency procedures and responsibilities 
for administering the Privacy Act consistent with guidelines 
issued by OMB. There are significant variations in the pro- 
cedures and responsibilities established by various agencies 
~ some are very structured and centralized whereas others 

are more decentralized. 


The Privacy Commission found that agencies which experienced 
the greatest success in .implementing the Privacy Act had 
established formal mechanisms to deal with its requirements. 
The Commission believed that a critical element in this 
approach was the designation of one responsible official 

with authority to oversee the Act's implementation, and the 
Commission therefore recommended designation of such an 
official in every agency. This official's responsibilities 
would include: (1) issuing any instructions, guidelines, or 
Standards necessary to implement the Privacy Act; (2) assuring 
the consistent application of regulations and policies within 
the agency; and (3) providing for the effective education of 
system managers and decision makers who are responsible for 
the collection, maintenance or disclosure of personal informa- 
£10n'. 


Pros: 


° Increases importance, visibility and awareness of privacy 
responsibilities. ; 

° Facilitates communications on privacy matters. 

° Would speed up implementation of central policy direction 
such as OMB's proposed matching guidelines. 

° Would establish center of expertise to assist in training 
and effective implementation of the Act. 

° Would result in more uniform implementation of the provi- 
sions of the Act. 


Cons: 


° Diminishes agency head discretion. 

° Because of cross-cutting nature of privacy concerns, the 
establishment of a single person responsible for privacy 
could diminish responsibility and accountability of agency 
program and functional managers for assuring compliance 
with the Act. 
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Decision 


There is general agreement among the agencies, Domestic 
Policy Staff and OMB that it would be desirable to require 
agencies to designate a single person responsible for 
overseeing the administration of the Act. OMB is revising 
OMB Circular No. A=-108 to implement this requirement. No 
Presidential decision is considered necessary. 
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Issue - Should agency oversight procedures for developing 


new systems involvin ersonal data be reformed? * 


Federal agency decisionmaking processes for the design of 
personal data systems and the procurement of computers and 
communication capacity for such systems have been severely 
criticized. It is argued that these decisions too often 
are made at the operations level, with inadequate policy 
oversight and consideration of privacy. Considerable time, 
money, and effort have been spent in recent years design- 
ing automated recordkeeping systems which have subsequently 
been halted in the final stages of development when OMB, 
GSA, Congress or the public have discovered a lack of privacy 
considerations. In addition to the costs incurred, this 
eleventh-hour delay or cancellation of systems frequently 
leads to the loss of needed information by agencies and 
causes frustration and lowered morale among those who plan 
and develop these new systems. 


A number of steps have recently been taken to address these 
problems: 


° The President's August 31, 1978 memorandum to the heads 
of executive departments and agencies urged each agency 
head "to initiate additional efforts during the coming 
year to reduce the amount of personal information collected 
and maintained by the Federal Government, to avoid un- 
warranted disclosure of this information, and to improve 
the internal management of personal data systems." and 
asked the Director of the Office of Management and Budget 
to monitor these efforts and to keep him informed of agency 
progress. 


° As a part of the Administration's multi-year budget 
initiative, OMB is requiring agencies to identify major 
computer and telecommunication systems acquisitions in 
the current year, the budget year and four years beyond 
the budget year. OMB will provide this information 
to Congress in order to assure earlier opportunities for 
congressional review of agency plans. The list of 
acquisitions will also be provided to GSA to assist them 
in carrying out their procurement control functions. 


° Internal OMB procedures for reviewing agency FY 80 
budget proposals establish stringent criteria for 
reviewing agency budget justifications for information 
processing activities. The procedures require a review 
of agency proposals to assure that they "include a clear 
indication of the necessity for such data collections 
and the safesuards the agencv will employ to preclude 
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inadvertent or surreptitious access by unauthorized per- 
sons to such data." and that "the acquisition of data 
processing and telecommunication equipment...be reviewed 
to assure that the requirements of the Privacy Act (P.L. 
93-579) have been met." 


° A recent OMB policy issuance requires agencies to 
“establish (by November 24, 1978) a computer security 
program which includes the establishment of agency 
management control processes for all sensitive computer 
applications...including those which process personal 
data. The management control process established by 
agencies must, as a minimum, provide for defining and 
approving specifications prior to starting computer 
programming, conducting periodic design reviews during 
the design process and conducting and approving system 
tests prior to using the system operationally; assigning 
responsibility to assure that specifications for pro- 
curement of information processing capacity or services 
comply with policies; and assigning responsibility for 
the conduct of periodic risk analyses for each computer 
installation. 


° OMB, consistent with recommendations contained in the 
Third Annual Report of the President on administration 
Of the Privacy Act, recently implemented a procedure to 
give members of the public a greater opportunity to 
comment on Federal agency proposals to establish or 
alter personal data systems subject to the Privacy Act 
of 1974. A summary of agency proposals to establish 
or alter personal systems now provided to OMB and the 
Congress 60 days prior to issuing data collection forms 
or acquiring computer capacity are being published in i 
the Federal Register and mailed directly to staff of 
Members of Congress who have indicated an interest in 
privacy, privacy press and a list of private citizens 
and groups which have indicated an interest in privacy. 


te in gears 


The question, then, is whether the initiatives already taken 
will adequately address the problems and concerns identi- 
fied or whether additional measures should be taken. 


Options: 
1. Carefully monitor the results achieved by the 


initiatives taken and then take whatever additional 
measures are necessary and appropriate. 
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2. Centrally initiate additional efforts to control 
the design of personal data systems or provide 
for even earlier public involvement in the design 
of systems than provided for in the current 
initiatives. 


3. A combination of 1 plus asking agency heads to 
assign responsibility to the person responsible 
for overseeing the agency's administration of the 
Act to suggest additional government-wide reforms 
when the agency submits its plans for implementing 
the recent OMB computer security policy and in their 
annual report on implementing the Act. 


Decision 
There is general agreement among the agencies that Option 
3 be adopted. OMB is revising OMB Circular No. A-108 to 


implement this requirement. No Presidential decision is 
considered necessary. 
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Issue - Should administration of the "routine use" provision 
of the Act be substantially strengthened? 7 


The Privacy Act requires agencies to inform individuals from 
whom information is collected of the purposes for which the 
information will be used and their rights, benefits or obliga- 
tions with respect to supplying that data. 


The Act permits agencies to subsequently establish new | 
"routine uses" of the information for compatible and appro- 
priate societal purposes which may not have been foreseen 
at the time the system was established. All "routine uses" 
(those established prior to collecting personal information 
as well as those subsequently established) are subject to 
public review and comment. 


The Privacy Protection Study Commission considered the "routine 
use" provisions a major weakness of the Act. They believe it 
permits agencies great and unintended latitude to disclose 
personal information while still allowing them to uphold the 
letter of the law. The Commission advocated a substantial 
tightening of the "routine use" provision of the Act for two 
reasons: (1) they feel that agencies have interpreted nearly 
all external disclosures of information as "compatible with 

the purpose" for which the information was originally collected; 
and (2) the clause provides no standards for internal agency 
disclosures. 


In order to correct these problems, the Commission proposed 
that any "routine uses" established be consistent with the 
individuals "reasonable expectations of use and disclosure 
under which the information was provided, collected, or 
obtained." This standard would enable an individual to 
measure the subsequent use of his personal information 
against the expectation he had when he supplied it, as 
opposed to simply any technically legitimate purpose for 
which the information might be employed, whatever the 
original expectations of the individual. 


Pros: 
° Would afford individuals with an increased measure of 
control over their records. 


Would limit inappropriate internal and external disclo- 
sures of personal information. 


Cons: 


° Would impose a significant burden on agencies. 

“ A standard based on "reasonable expectations" of various. 
individuals would be difficult to implement and could 
cause significant legal problems. 
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° Would not address problem of disclosing data which was 
obtained from third parties rather than the data subjects ~ 
° Would limit congressionally intended flexibility. 


Possible compromise options 


Given the latitude provided by the Act, the Administration 
could adopt the position that agency administration of inter 
and intra agency transfers of information should be 
tightened up but not necessarily in accordance with the 
standard proposed by the Commission. This would provide 
affirmative Administration action on a major concern ex- 
pressed by the Commission. The President's August 31, 

1978 memorandum to the heads of executive departments and 
agencies requests agency heads to initiate additional 
efforts to avoid unwarranted disclosures of personal infor- 
mation and strengthen internal management of personal 
information already demonstrates Administration concern 
about this problem. In addition, OMB is currently circulat- 
ing draft guidelines on the sharing of information between 
agencies for use in "matching" programs. These guidelines 
would be a solution to one segment of the “routine use" 
problems. OMB has also recently taken steps to enhance the 
opportunities for public scrutiny of agency proposals for 
new and altered systems -- which include proposed "routine 
uses" of such information. 


Options 


lL. Revise the "routine use” provision along lines recommended 
by the Commission. 


2. Accept concept of revising "routine use" standards; and 
request OMB to take additional steps to revise the 
current OMB guidelines on "routine uses" and inter- 
agency transfers -- as they are doing in the case of 
the matching guidelines. This could include the 
development of more precise dfinitions of "compatible" 
as used in the Acts definition of "routine use." 


3. Enhance opportunities. for increased public scrutiny of 
agency administration of the routine use provisions and 
take further steps to require agencies to tighten up 
on their internal management practices -- by such actions 
as (a) follow-up by OMB on the President's August 31, 
1978 memorandum, (b) asking agency heads to task the 
individual responsible for overseeing the agencies 
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administration of the Act to develop specific plans 
and timetables for enhancing the agency's administra- 
tion of these provisions of the Act (including the 
conduct of appropriate training) and assuring that 
the agency conducts a responsive public involvement 
Programiafhn The heels anased bo op Tr app heal le [awe en! ante = 
4. Take no further action beyond the initiatives already 

underway and rely on OMB to initiate any further actions 

when necessary and appropriate under their statutory 

responsibilities for overseeing implementation of the Act. 


Decision : 
There is general agreement that option 3 should be adopted. 
OMB is revising OMB Circular No. A-108 to implement this 
option. Both Justice and Treasury have stressed that any 
new standards which may be developed for routine use should 
note preclude the transfer of information for legitmate law 
enforcement and protective purposes. No Presidential 
decision is considered necessary. 


authorized audits or investigations. 


Full implementation of the PPSC's recommendation would 
require amendment of the Privacy Act itself. The effect 
would be to place Privacy Act requirements on agencies of 
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corporate grantees and additional contracts not now sub- 
ject to the Act. Although this approach would eliminate 
much uncertainty on applicability of the Act, the benefits 
and impact are not clear. State and local governments, 
businesses, and universities are already considered to 
bear a heavy Federal paperwork and regulatory burden and 
the Administration is seeking ways to lessen this burden. 


The General Accounting Office is currently completing a 
year-long study of this issue and is expected to make 
recommendations. Additional guidance or criteria on the 
contractor provision could be developed in conjunction 
with the GAO findings and recommendations. 


Option 1. Extend the Act legislatively as recommended by 
PPSC. 


Pros 


° 


Would establish a consistent, uniform standard, thus 
avoiding the current confusion over what is a grant 
and what is a contract. 


Would enhance the general principle of privacy protection 
for government-funded recordkeeping. 


Cons 


° Would impose additional burdens and requirements on 
grantees. 


° Would add to Federal paperwork in oversight/administration. 

° Would require legislation, which could be difficult to enact. 

° No specific need for additional protection has been shown. 

Option 2. OMB should review the problems outlined in the 
forthcoming GAO report, work with procuring 
agencies to consider any additional guidance that 
could be administratively implemented and identify 
any alternative changes in legislation (to that 
proposed by PPSC) that should be considered. 


Pros 


° Would eliminate confusion as to current coverage/intent 
of the Act. 
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° Would take advantage of recent study of actual experience 
under the provision. 


° Would provide positive Administration response to expected 
GAO report. 


° Could result in administrative actions but preclude 
overcommitment since legislation may be required. 


Cons 


-° Delays action. 


Option 3. Take no action. 


Pros 

° Would require no additional resources. 

Cons 

° Would not solve the problem of confusion that exists. 
Recommendation: In view of the legal questions and complex 
issues of Federal-State-local relationships and possibly 
conflicting Administration policies, there is general 


agreement that option 2 should be selected. OMB will take 
appropriate action. : 
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